Skip to content

debug: cypress failure on upload / CSRF / Session failure with 401 #4350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
juliusknorr wants to merge 11 commits into from
Closed

debug: cypress failure on upload / CSRF / Session failure with 401 #4350

juliusknorr wants to merge 11 commits into from

Conversation

@juliusknorr
Copy link
Member

@juliusknorr juliusknorr commented Jun 23, 2023

Signed-off-by: Julius Härtl [email protected]

📝 Summary

  • Resolves: #

🖼️ Screenshots

🏚️ Before 🏡 After
B A

🚧 TODO

  • ...

🏁 Checklist

  • Code is properly formatted (npm run lint / npm run stylelint / composer run cs:check)
  • Sign-off message is added to all commits
  • Tests (unit, integration and/or end-to-end) passing and the changes are covered with tests
  • Documentation (README or documentation) has been updated or is not required

@cypress
Copy link

cypress bot commented Jun 23, 2023
edited
Loading

Passing run #10766 ↗︎

0 146 1 0 Flakiness 0

Details:

debug: cypress failure on upload
Project: Text Commit: 6e2751779b
Status: Passed Duration: 03:50 💡
Started: Jun 28, 2023 6:55 PM Ended: Jun 28, 2023 6:59 PM

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.

juliusknorr
juliusknorr commented Jun 23, 2023
View reviewed changes
cypress/support/commands.js Outdated
.then(requesttoken => {
cy.request('/csrftoken')
.then(({ body }) => {
const requesttoken = body.token
Copy link
Member Author

@juliusknorr juliusknorr Jun 23, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the duplicate then might cause timing issues, but no idea why, so far test runs on CI seem promising

@juliusknorr juliusknorr force-pushed the cypress/debug branch 6 times, most recently from a6bf7e3 to 08441b7 Compare June 24, 2023 07:53
@juliusknorr juliusknorr mentioned this pull request Jun 24, 2023
Merged
@juliusknorr juliusknorr force-pushed the cypress/debug branch 4 times, most recently from d8df69f to 7878c70 Compare June 25, 2023 17:55
@juliusknorr juliusknorr mentioned this pull request Jun 25, 2023
Merged
@juliusknorr
Copy link
Member Author

juliusknorr commented Jun 26, 2023
edited
Loading

Suspicious from the logs, the service worker request after login (possibly from an older context) does generate a new csrf token and fails with no user session
out.log

[
  "/index.php/login",
  "Ivtec0d1ZilXSDG2QviO",
  "2023-06-26T14:30:46+00:00",
  "CsrfTokenManager::refreshToken ob+PqyUvJAw7YLMbR04SAhbXIBWcAVwH"
]
[
  "/index.php/apps/files",
  "iKfWgZLmkIfZ3nZnfb9B",
  "2023-06-26T14:30:47+00:00",
  "CsrfTokenManager::getToken from session ob+PqyUvJAw7YLMbR04SAhbXIBWcAVwH"
]
// Some requests follow like this
[
  "/index.php/apps/theming/theme/light.css?plain=1&v=16ac97b0",
  "tLPlYmFcowDh07KdE7Hv",
  "2023-06-26T14:30:47+00:00",
  "CsrfTokenManager::getToken from session ob+PqyUvJAw7YLMbR04SAhbXIBWcAVwH"
]
[
  "/index.php/apps/files/preview-service-worker.js",
  "Auo9QxA9hrZy2P6TDuRa",
  "2023-06-26T14:30:48+00:00",
  "CsrfTokenManager::getToken generate session HdLHWDvGZX1juFkOCzOJywiuOPMUSOJG"
]
[
  "/index.php/apps/files/preview-service-worker.js",
  "Auo9QxA9hrZy2P6TDuRa",
  "2023-06-26T14:30:48+00:00",
  "Current user is not logged in"
]
[
  "/index.php/apps/theming/theme/dark-highcontrast.css?plain=0&v=16ac97b0",
  "XJc1OUZLxuZakU8uC1Um",
  "2023-06-26T14:30:48+00:00",
  "CsrfTokenManager::getToken from session ob+PqyUvJAw7YLMbR04SAhbXIBWcAVwH"
]
// A bit later requests switch over to the new token:
[
  "/index.php/apps/theming/theme/dark.css?plain=1&v=16ac97b0",
  "bJQQWQuTRkYEnDzoGI7z",
  "2023-06-26T14:30:49+00:00",
  "CsrfTokenManager::getToken from session HdLHWDvGZX1juFkOCzOJywiuOPMUSOJG"
]

Possibly related cypress-io/cypress#16192

@juliusknorr
Copy link
Member Author

juliusknorr commented Jun 26, 2023
edited
Loading

Another interesting log trace:

  • Seems we somehow hit brute force protection
  • service worker is still requested somewhere between user creation and login
  • login triggers logout so we may still send previous session information
[
  "/ocs/v2.php/cloud/users?format=json",
  "1oOQY0r9gMUR6wyv2It9",
  "Successful addUser call with userid: xojrqg"
]
[
  "/index.php/csrftoken",
  "p49937LSej2lyNmaDQLN",
  "CsrfTokenManager::getToken generate session HW2eEjyPc9RNEMe/EzFWnuS1Sot0PTuA"
]
[
  "/index.php/apps/files/preview-service-worker.js",
  "7vxu9QaG5KOfIICYVSF3",
  "CsrfTokenManager::getToken generate session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "CsrfTokenManager::getToken from session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "CsrfTokenManager::isTokenValid ehp8t3or2tkw35zniioqt2rbNJO2z+NH - HW2eEjyPc9RNEMe/EzFWnuS1Sot0PTuA"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "UserSession::logout"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "Bruteforce attempt from \"127.0.0.1\" detected for action \"login\"."
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 200, ip: 127.0.0.1]"
]
[
  "/index.php/apps/files",
  "mS42ijELIn1JHl39pj8I",
  "CsrfTokenManager::getToken from session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]
[
  "/index.php/apps/files",
  "mS42ijELIn1JHl39pj8I",
  "Current user is not logged in"
]

nextcloud 19.log

This case also still involves preview-service-worker.js

[
  "/index.php/csrftoken",
  "p49937LSej2lyNmaDQLN",
  "CsrfTokenManager::getToken generate session HW2eEjyPc9RNEMe/EzFWnuS1Sot0PTuA"
]
[
  "/index.php/apps/files/preview-service-worker.js",
  "7vxu9QaG5KOfIICYVSF3",
  "CsrfTokenManager::getToken generate session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "CsrfTokenManager::getToken from session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "CsrfTokenManager::isTokenValid ehp8t3or2tkw35zniioqt2rbNJO2z+NH - HW2eEjyPc9RNEMe/EzFWnuS1Sot0PTuA"
]
[
  "/index.php/apps/files",
  "mS42ijELIn1JHl39pj8I",
  "CsrfTokenManager::getToken from session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]

@juliusknorr
Copy link
Member Author

juliusknorr commented Jun 27, 2023

Another related one cypress-io/cypress#702

The workarounds to disable service workers in cypress doesn't seem to to the trick, but patched out the service worker part in the server seems promising for todays pushes: https://github.com/nextcloud/text/actions/workflows/cypress.yml?query=branch%3Acypress%2Fdebug

@juliusknorr
tmp: remove cancel
849bb62 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr
debug: log level 0
33fc249 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr
ci(cypress): Update config
24fcfdf 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr
debug: use server debugging branch
d52ac3e 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr
ci(cypress): Use cron
42ac3f4 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr
fix: disable service workers
5eb6b5a 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr
Try to intercept service worker
a77b579 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr
attempt 1687965725
bf3c787 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr
fix file type
f8c2a3e 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr
attempt 1687977507
603ea41 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr
attempt 1687978387
6e27517 
Signed-off-by: Julius Härtl <[email protected]>
@juliusknorr juliusknorr changed the title debug: cypress failure on upload debug: cypress failure on upload / CSRF / Session failure with 401 Jul 21, 2023
@juliusknorr
Copy link
Member Author

juliusknorr commented Jul 21, 2023

Closing as tests seem more stable now

@juliusknorr juliusknorr mentioned this pull request Aug 29, 2023
Merged
4 tasks
@max-nextcloud max-nextcloud deleted the cypress/debug branch July 15, 2025 03:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@max-nextcloud max-nextcloud Awaiting requested review from max-nextcloud max-nextcloud will be requested when the pull request is marked ready for review max-nextcloud is a code owner

@mejo- mejo- Awaiting requested review from mejo- mejo- will be requested when the pull request is marked ready for review mejo- is a code owner

@silverkszlo silverkszlo Awaiting requested review from silverkszlo silverkszlo will be requested when the pull request is marked ready for review silverkszlo is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@juliusknorr